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DETAILED ACTION 

Applicant amends claims 1-3, 7 & 8 and claims 4, 5, 9 & 10 have been cancelled. 
Claims 1-3, 7, 8 & 1 1 are presented for examination. 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .1 7(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 04 
February 2010 has been entered. 

Response to Arguments 

Applicant's arguments with respect to claims 1-3, 7, 8 and 1 1 have been 
considered but are moot in view of the new grounds of rejection. However, the 
Examiner remarks on the amendments filed. 

1 . Applicant claims the following limitation: " if the read input data is a branch 
instruction , determining whether a branch destination address of the branch instruction 
is larger than a branch origin address based only on the one byte of the data read and if 
the branch destination address is larger than the branch origin address storing the 
branch destination address and branch origin address" (emphasis added). 

The Examiner applies Hollander et al (U.S. Pat 6301699 B1), hereinafter referred 
to as Hollander. Hollander teaches, at least, in Figure 7, elements 141 & 142, 
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"ANALYZE NEXT INSTRUCTION," "TYPE OF INSTRUCTION." The Examiner further 
notes 2 of the 3 options provided by element 142 are "TARGET OF A JUMP" & "ELSE" 
which represent alternatives to the "TYPE OF INSTRUCTION" jump option. Ergo, 
Hollander teaches when the "read input data is not a branch instruction." 

The "if conditional, by its very nature, exhibits alternative steps in the event the 
"if conditional fails; the alternative step(s) may, or may not, be limited to not performing 
any step(s). While the claimed limitation does not rise to the level of indefiniteness, the 
claimed limitation is optional. 

The prior art meets the optional component of the claim by explicitly teaching, 
either explicitly or inherently, the conditions to the optional component explicitly fails. 

2. Applicant claims "determining whether or not there is a call instruction at the 
branch destination address, and storing a call destination address of the call instruction 
if the instruction code at the branch destination address is a call instruction ." 

A broad and reasonable interpretation of a "call instruction" is inclusive of a "jump 
instruction" (e.g. jmp). The claim has been analyzed and given its broadest reasonable 
interpretation in light of and consistent with the written description (In re Morris, 127 
F.3d 1048, 1053-54, 44 USPQ2d 1023, 1027 (Fed. Cir. 1997)). 

The Examiner applies Hollander et al (U.S. Pat 6301699 B1), hereinafter referred 
to as Hollander. Hollander teaches, at least, the following method elements applied in 
Figure 7, elements 140 ^ 141 ^ 142 — "TARGET OF A JUMP" 146 ^ 148 ^ 141 
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_> 142 — "JUMP INSTRUCTION"^ 144. 
condition in the affirmative and negative. 
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Therefore, Hollander meets the claimed 



3. Applicant claims " if the stored call destination address is between the branch 
origin address and the branch destination address concluding that the input data 
includes a malicious process." 

The Examiner applies Yoshimi (U.S. Pat App Pub 2001/0011346 A1), hereinafter 
referred to as Yoshimi. Yoshimi teaches, at least, in the bottom part of Figure 3 and 
IP 72-^173 the "stored call destination address is not between the branch origin 
address and the branch destination address." 

The "if conditional, by its very nature, exhibits alternative steps in the event the 
"if conditional fails; the alternative step(s) may, or may not, be limited to not performing 
any step(s). While the claimed limitation does not rise to the level of indefiniteness, the 
claimed limitation is optional. 

The prior art meets the optional component of the claim by explicitly teaching, 
either explicitly or inherently, the conditions to the optional component explicitly fails. 

Claim Rejections - 35 USC §112 
The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

4. Claim 3 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 
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Claim 3 recites the limitation "the instruction code group." There is insufficient 
antecedent basis for this limitation in the claim. 

7Any claim not specifically addressed above is being rejected as incorporating 
the deficiencies of a claim upon which it depends. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-3, 7, 8 and 11 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Hollander et al (U.S. Pat 6301699 B1), hereinafter referred to as 
Hollander, in view of Yoshimi (U.S. Pat App Pub 2001/001 1346 A1), hereinafter referred 
to as Yoshimi. 

Re claims 1 , 2, 7 and 8 : Hollander teaches a data processing method including 
receiving input data containing a plurality of instructions codes, and judging whether or 
not a process executed based on the instruction codes contained in the received data is 
a malicious process, said method comprising: 

sequentially reading instructions of the input data at a time (Fig 7, elt 141; col 8, 
lines 18-21); 

determining whether or not the read data is a branch instruction (Fig 7, elt 141; 
col 8, lines 18-21); 
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if the read input data is a branch instruction, determining whether a branch 
destination address of the branch instruction is larger than a branch origin address 
based only on the one byte of the data read and if the branch destination address is 
larger than the branch origin address storing the branch destination address and branch 
origin address (Figure 7, elements 141 & 142, "ANALYZE NEXT INSTRUCTION," 
"TYPE OF INSTRUCTION." The Examiner further notes 2 of the 3 options provided by 
element 142 are "TARGET OF A JUMP" & "ELSE" which represent alternatives to the 
"TYPE OF INSTRUCTION" jump option). 

determining whether or not there is a call instruction at the branch destination 
address, and storing a call destination address of the call instruction if the instruction 
code at the branch destination address is a call instruction (Figure 7, elements 140 -> 
141 -> 142 — "TARGET OF A JUMP" -> 146^ 148 ^ 141 -> 142 — "JUMP 
INSTRUCTION"^ 144). 

However, Hollander does not expressly disclose sequentially reading one byte of 
the input data at a time; determining whether or not the stored call destination address 
is between the branch origin address and the branch destination address; if the stored 
call destination address is between the branch origin address and the branch 
destination address concluding that the input data includes a malicious process. 

Yet, Yoshimi teaches sequentially reading one byte of the input data at a time 
(Fig 3; 1J20; H23; 1J30); determining whether or not the stored call destination address is 
between the branch origin address and the branch destination address (11167; 1J172- 
1|173); if the stored call destination address is between the branch origin address and 
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the branch destination address concluding that the input data includes a malicious 
process (Fig 14; If 158; 1f170-1f176; If 184). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Hollander with the teachings of 
Yoshimi, for the purpose of predicting program execution in file processes and judging 
program execution prior to its execution (1f282). 

Re claim 3 : The combination of Hollander and Yoshimi teaches means for 
judging whether or not a predetermined character string is associated with a return 
address of the instruction (Hollander: Fig 4B, all elts). 

Re claim 11 : The combination of Hollander and Yoshimi teaches the malicious 
process causes an erroneous operation in the process executed based on the 
instruction codes contained in the received data (Hollander: Fig 4b, elt 106: col 4, lines 
62-65). 

Conclusion 

Examiner's Note: Examiner has cited particular columns and line numbers in the 
references applied to the claims above for the convenience of the applicant. Although 
the specified citations are representative of the teachings of the art and are applied to 
specific limitations within the individual claim, other passages and figures may apply as 
well. It is respectfully requested from the applicant in preparing responses to fully 
consider the references in entirety as potentially teaching all or part of the claimed 
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invention, as well as the text of the passage taught by the prior art or disclosed by the 
examiner. 

In the case of amending the claimed invention, Applicant is respectfully 
requested to indicate the portion(s) of the specification which dictate(s) the structure 
relied on for proper interpretation and also to verify and ascertain the metes and bounds 
of the claimed invention. 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. See PTOL-892. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DARREN SCHWARTZ whose telephone number is 
(571)270-3850. The examiner can normally be reached on 7am-4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571)272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

ID. SV 

Examiner, Art Unit 2435 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



